Privacy Policy

TOPTROVE

TopTrove is more than just a service provider; it’s a catalyst for progress. TopTrove offers a comprehensive portfolio of innovative solutions that empower businesses to thrive in today’s dynamic landscape. Whether our clients are seeking to optimize operations, enhance security, or harness the power of AI, TOPTROVE has the expertise and resources to guide every step of the way.

Privacy Policy

Last updated: 07072025

Welecome to www.top-trove.com that represents TopTrove Europe and TopTrove Canada (collectively refered as “TopTrove“, “we“, “us“, “our”) registered in UK & Canada respectively. This policy governs the information we collect, use, share and otherwise process which identifies individuals (“personal data“), including visitors to our website: https://www.top-trove.com (“Website”), our customers, business partners (including suppliers/service providers), and job applicants (“you“, “your”).

We take our responsibilities seriously including how we handle your personal data, keep it secure and comply with applicable data protection and privacy laws. As part of our commitment to demonstrate compliance with such laws of UK, Europe, Canada, USA and Australia. .

The purpose of this privacy policy (“Policy”) is to clearly explain when, why and how we collect and use personal data as data controller, which we explain further below.

Please read this Policy carefully as it provides important information about how we use personal data and explains your legal rights. We may change this Policy and, when we do, we will post any changes on this page, so please check back frequently. If we make fundamental changes to this Policy, we will seek to inform you by notice on our Website or by email.

There may be external links to third party websites from our Website. This Policy does not apply to your use of any such third party website.

Our services are not intended for children (less than age 18) and we do not knowingly collect data relating to children.

To make this Policy as user friendly as possible, we have labelled sections of the Policy to make it easy for you to locate the information you are looking for, please click on the relevant section in index of the contents below.

CONTENTS OF OUR POLICY

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?
PERSONAL DATA WE COLLECT, WHEN AND WHY WE USE IT, AND OUR LAWFUL BASIS FOR PROCESSING IT
DISCLOSURE OF YOUR PERSONAL DATA
INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA
RETENTION AND PROTECTION OF YOUR PERSONAL DATA
YOUR RIGHTS AND HOW TO EXERCISE THEM
MARKETING
ANY QUESTIONS?

WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA?

TopTrove is the data controller for the personal data set out above for the purpose of conducting or developing our business with you. We area company registered in Scotland and Canada , and we can be contacted as follows:

By post: 274 G/L Hardgate, Aberdeen, AB10 6AA
By email at: info@top-trove.com

For the purposes of this Policy, when we refer to:

personal data, we mean any information relating to an identified or identifiable person;

data controller, we mean the person or organization that determines when, why and how to process personal data. It is responsible for establishing practices and policies in line with applicable data protection and privacy laws; and

data processor, we mean the person or organization which processes personal data on behalf of the data controller.

PERSONAL DATA WE COLLECT, WHEN AND WHY WE USE IT, AND OUR LAWFUL BASIS FOR PROCESSING IT

This Policy applies to the collection, and processing, of your personal data by us in order for you to enjoy the full functionality of our Website, otherwise in conducting business with us or seeking to conduct business with us, or apply for a job with us you.

We collect personal data from you directly:

through our ‘Contact Us’ and ‘The Trove” web pages;
if you would like to ‘ Book a free consultation’ with one of our experts;
If you have an account on our ‘Customer portal’ ;
if you apply for a job with us;
if you call us with a query; or
if you register to attend an event we host or sponsor, e.g., webinars or seminars or download materials from our Website.

We collect personal data during your use of our Website via the cookies we use, certain details of which aresetoutin thetablebelow.

Information From Other Sources

Where you apply for a position at TopTrove, we may also receive information indirectly from recruitment agencies and your references (including previous employers).

We may also obtain personal data about you from third parties, such as credit reference agencies, and publicly accessible sources such as Linkedin or internet search engines like Google.

The type of personal data we process differs depending on how you engage with us. The table below provides this information including how we will use personal data and the context for which we use your personal data:

Types of Personal data		Purpose	Legal Basis
Personal data we collect and use if you are a customer or prospective customer
First name, email business (billing and business	surname, address, addresses delivery), phone	For the provision of our services, which includes arranging an initial consultation with you, registering you as a new customer, processing orders, delivery of	In most cases, this processing is necessary for performance of a contract.

Types of Personal data	Purpose	Legal Basis
number / mobile phone number, job role, information about your employer (i.e. company name and location of business), username, password and information provided by you when submitting a support ticket (if you register on our Customer Portal), details about payments to and from you and other details of products and services you have purchased from us, your interests, preferences (including receiving marketing from us and our third parties and your communication preferences), feedback and survey responses, interactions via social media.	orders, fulfillment of services sending invoices and payment reminders, collecting payments, recovering outstanding monies and any other general contract management and administration purposes. Where you or your company provide us with products and services, we will collect your data in order to facilitate the TopTrove-vendor commercial relationship, which includes the above purposes such as management of invoices and contract management.	However, we also rely on our legitimate interest to recover debts owed to us, if applicable.
	To resolve any queries, complaints, feedback and requests, either through our Website ‘Contact’ page or through the support function on our Customer Portal	Our legitimate interest to respond to any correspondence or queries you send us, and to send service information about our services.
	To send marketing and promotional material, updates, newsletters, delivery of content via social media, and other related information that may be of interest to you, including, sending solicited information (e.g. quotes in response to an enquiry), surveys and promotions, webinars and seminars. We may contact you for the above purposes via email and possibly your postal address or phone number.	Where required by applicable law, your consent or where information is solicited. Otherwise, our legitimate interest to send you communications related to similar products or services to which you have previously purchased or entered into negotiations to purchase, where permitted by applicable laws.
Names, email addresses, business addresses.	To conduct data-analytic and market research for statistical and survey purposes and for internal business administration.	Our legitimate interest to measure the use of our services and interaction to inform and improve service/product direction and development and to enable provision of accurate and reliable reporting.

Types of Personal data	Purpose	Legal Basis
Personal data we collect and use if you use our Website
Information about how you use and interact with our services and website (“Usage Data”), such as data about your visits to our Website, your IP address, browser type and version, domain name, time zone setting and location, browser plug-in types and versions, click activity, referring website, operating system and platform and other technology on the devices you use to access our Website, your login details (if you register on our Customer Portal).	This data may be automatically collected through our use of cookies, server logs and other similar technologies, however it helps us to help us to keep our Website available and secure.	Where exceptions to the consent requirement apply, we have a legitimate interest in: • to providing and maintaining our Website through utilizing cookies that are strictly necessary, and to ensure it functions and operates efficiently; • detecting and preventing fraud and ensuring that your experience on our Website is as secure as possible.
	Where you agree to applicable cookies, the data collected helps to improve your experience when you visit our Website. This includes: (a) for statistical analysis to improve, test and monitor the effectiveness of our Website, troubleshoot issues related to website navigation and to inform decision making on changes necessary; (b) to ensure content on our Website is presented in the most effective manner for you; and (c) to enhance your use of our Website to monitor metrics such as total number of visitors and traffic data (including demographic patterns).	Where required by law, we obtain your consent for cookies and other tracking technologies that are not strictly necessary, such as cookies relating to performance, functionality and targeting. .
Personal data we collect and use if you apply for a job with us
First name, surname, contact details (including residential address, email address	To respond to request for vacancies and for recruiting and hiring purposes.	The processing is necessary for us to administer our contract with you – or take steps to consider entering into an employment contract with you.

Types of Personal data	Purpose	Legal Basis
and phone number / mobile phone number), date of birth, gender, national identification number, Linkedin profile details, details of your qualifications, skills and education and professional history, CV / resume, cover letters, application forms, references, candidate assessment (including interview notes); information relating to right to work and information about your skills, experience and education, (where applicable) health data required to make reasonable adjustments for interviews, notice period and salary expectations	To carry out right to work checks and comply with our legal requirements, such as to make reasonable adjustments if you are successful in obtaining a position with us.	Necessary to comply with relevant employment law obligations (for example, carrying out right to work checks).
	To improve our recruitment process and activities.	Necessary for our legitimate interests to maintain our reputation as a leading employer.
All Data Subjects
All data above mentioned.	In connection with any merger, sale, transfer of our assets, investment, acquisition, bankruptcy, or similar event or corporate transaction.	In these circumstances, processing would be necessary for our legitimate interests to ensure we can protect and grow our business.
All data above mentioned.	Ensuring our compliance with legislation and legal process.	We have a necessity to comply with our legal obligations such as providing information in the context of our tax and financial legal obligations.
All data above mentioned.	Establishing our rights or defend ourselves against any dispute that may arise.	We have a legitimate interest to ascertain, exercise and / or defend our rights and ensure our business continuity.

Types of Personal

data

Purpose

Legal Basis

All data above

mentioned.

To help us improve and optimize our products and services.

Where exceptions to the consent requirement apply, we have a legitimate interests to maintain our reputation as a leading provider of application security testing solutions to customers across the globe.

In limited circumstances we may process any of the personal data we hold to the extent necessary to defend, establish and exercise legal claims or to comply with legal or regulatory obligations.

Where we need to collect personal data due to a legal or regulatory obligation, or for performance of a contract, and you do not provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our services). We will notify you of this at the time.

Aggregated data

We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data is data which may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.

Special categories of personal data

We do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offence.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.

DISCLOSURE OF YOUR PERSONAL DATA

Depending on your dealings with us, we may disclose some or all of the personal data we collect from and obtain about you to the following:

Personnel: Personal data is shared internally on a need-to-know basis to our staff and personnel including directors, shareholders, employees, contractors and other temporary workers.

External Recipients

Service Providers and Data Processors: We engage third party vendors, from time to time, including:

• IT service providers such as Microsoft and Kaseya to help manage our IT and back office systems;

• website and email marketing service providers, such as Guru, WordPress, MailChimp and GoogleAds;

• analytics and search engine providers such as Microsoft Bing Adverts and Google Analytics to help us improve and optimize our services;

• professional advisors, such as tax or legal advisors (for example, as necessary for the establishment, exercise or defence of legal claims or to protect our rights or safety);

• recruitment agencies;

• agents, suppliers or sub-contractors and other associated organisations where they are engaged by us to help deliver a service that we have instructed them on, such as Sage for customer invoicing and DocuSign to conclude customer contracts;

• (where you attend a TopTrove hosted or sponsored event) event organizers, logistic and production companies in connection with events that you may attend;

Third parties in case of a legal requirement: We disclose your personal data if disclosure is required by law or in the context of an investigation, regulatory requirement, judicial proceeding, court order or legal process (including to law enforcement or competent authorities like the police and tax authorities).

Third parties in case of a corporate transaction: Information about our customers, including personal data, may be disclosed as part of any merger, sale, transfer of our assets, investment, acquisition, bankruptcy, or similar event, including while engaging with our actual or potential investors.

INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA

Some of the recipients listed in DISCLOSURE OF YOUR PERSONAL DATA above may be based outside the United Kingdom and / or European Economic Area, such as the United States.

Where required by law, we implement appropriate safeguards in accordance with safeguards to protect your personal data when it is transferred internationally, or to third party service providers. If you are resident in:

the UK – this may include our entering into the UK International Data Transfer Agreement or Addendum, and additional measures to supplement such clauses as may be required in line with transfer impact assessments we carry out, to prevent interference by public authorities of third countries; and / or
the EEA – the applicable module of the EU Standard Contractual
the USA – the applicable module of the USA fedral & state laws (CCPA & GDPR)
the Canada– the Personal Information Protection & Electronic Documents Act (PIPEDA)
the Australia– the Privacy Act 1988 (Privacy Act)

If you would like to find out more about any such transfers or obtain a copy of the applicable safeguards (which may be redacted to ensure confidentiality), please contact us using the details set out in WHO IS RESPONSIBLE FOR LOOKING AFTER YOUR PERSONAL DATA .

RETENTION AND PROTECTION OF YOUR PERSONAL DATA

We will not retain your personal data longer than it is necessary to carry out the purposes listed in

PERSONAL DATA WE COLLECT, WHEN AND WHY WE USE IT, AND OUR LAWFUL BASIS FOR PROCESSING IT of this Policy or than is required by local laws of the applicable country..

In some circumstances we may retain your personal data for longer periods of time, for instance where we are required to do so in accordance with legal, regulatory, tax or accounting requirements. In specific circumstances we may also retain your personal data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your personal data or dealings.

Where your personal data is no longer required we will ensure it is either securely deleted or stored in a way which means it will no longer be used by the business.

We have implemented and maintain appropriate technical and organizational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the authorized disclosure or access to such information appropriate to the nature of the information concerned. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect User IDs and passwords, please take appropriate measures to protect this information.

YOUR RIGHTS AND HOW TO EXERCISE THEM

You have several rights in relation to your personal data set out in this section. In certain circumstances these rights might not be absolute, as they depend on our reason for processing your personal data. You are not required to pay any charge for exercising your rights, although we may charge a reasonable fee if your request is repetitive or excessive. We have one month to respond to you (unless you have made a number of requests or your request is complex, in which case we may take up to an extra two months to respond).

Please note that, where we ask you for proof of identification, the one-month time limit does not begin until we have received this. If we require any clarification and/or further information on the scope of the request, the one-month deadline is paused until we receive that information.

Right	What this means
Access	You can ask us to: • confirm whether we are processing your personal data; • give you a copy of the personal data we hold about you; or • provide you with other information about your personal data such as what data we have, what we use it for, who we disclose it to, whether we transfer it abroad and how we protect it, how long we keep it for, what rights you have, how you can make a complaint, where we got your data from etc., to the extent that information has not already been provided to you in this Policy.
Rectification	You can ask us to rectify inaccurate or incomplete personal data. We may seek to verify the accuracy of the data before rectifying it.
Erasure	You can ask us to erase your personal data, but only where: • it is no longer needed for the purposes for which it was collected;

	• you have withdrawn your consent (where the data processing was based on consent); • following a successful right to object (see ‘Objection’ below); • it has been processed unlawfully; or • to comply with a legal obligation to which we are subject. We are not required to comply with your request to erase your personal data if the processing of your personal data is necessary: • for compliance with a legal obligation; or • for the establishment, exercise or defence of legal claims. There are certain other circumstances in which we are not required to comply with your erasure request, although these two are the most likely circumstances in which we would deny that request.
Restriction	You can ask us to restrict (i.e. keep but not use) your personal data, but only where: • its accuracy is contested (see “ Rectification” above), to allow us to verify its accuracy; or • the processing is unlawful, but you do not want it erased; or • it is no longer needed for the purposes for which it was collected, but we still need it to establish, exercise or defend legal claims; or • you have exercised the right to object, and verification of overriding grounds is pending. We can continue to use your personal data following a request for restriction, where: • we have your consent; or • to establish, exercise or defend legal claims; or • to protect the rights of another natural or legal person.
Portability	You can ask us to provide your personal data to you in a structured, commonly used, machine-readable format or you can ask to have it ‘ported’ directly to another data controller, but in each case only where: • the processing is based on your consent or on the performance of a contract with you; an • the processing is carried out by automated means.
Objection	You can object to any processing of your personal data which has our ‘legitimate interests’ as its legal basis (see PERSONAL DATA WE COLLECT, WHEN AND WHY WE USE IT, AND OUR LAWFUL BASIS FOR PROCESSING IT above) if you believe your fundamental rights and freedoms outweigh our legitimate interests. Once you have objected, we have an opportunity to demonstrate that we have compelling legitimate interests which override your rights and freedoms.
International Transfers	You can ask to obtain a copy of, or reference to, the safeguards under which your personal data is transferred outside of the UK, European Economic Area, Canada & Australia. We may redact data transfer agreements or related documents (i.e. obscure certain information contained within these documents) for reasons of commercial sensitivity.

Supervisory Authority	You have a right to lodge a complaint with your local supervisory authority about our processing of your personal data. In the UK, the supervisory authority for data protection is the Information Commissioner’s Office or ICO (https://ico.org.uk/). We ask that you please attempt to resolve any issues with us first, although you have a right to contact your supervisory authority at any time.
Withdrawal of consent	If you have given your consent to the processing of your personal data, you can revoke it at any time with effect for the future. The lawfulness of the processing of your data before this remains unaffected.

MARKETING

Subject to your consent where required by local law, we may communicate with you by email or phone to tell you about our services or any offers we think may be of interest to you. If you wish to opt-out of receiving marketing communications, please use the ‘unsubscribe’ link provided in our emails, or otherwise contact us directly and we will stop sending you communications.

We do not engage in automated decisions about you in connection with our Website, but we will notify you if this changes.

ANY QUESTIONS?

If you have any questions that have not been covered by this Policy, please contact us via email at: info@top-trove.com

If you have a complaint or concern about how we use your personal data, please contact us in the first instance and we will attempt to resolve the issue as soon as possible. You also have a right to lodge a complaint with your national data protection supervisory authority (e.g. the ICO in the UK) in the at any time, however, we ask that you please attempt to resolve any issues with us first.